Banks warned over impending ATM cash-out attacks

Imminent attacks believed linked to compromise at major card issuer

Banks around the world have been warned about an imminent attack that will enable cyber criminals around the world to drain money from banks' cash machines.

The FBI issued the warning on Friday of what it has described as an ATM cash-out attack. It has warned that the attackers have, or are likely to, target a single bank.

Striking at the weekend, associates of the cyber criminals at the centre of the attacks will use cloned cards across the world to drain accounts of cash - in some cases, using malware to ensure that the accounts are fully topped up and withdrawal limits suspended.

That's according to Krebs on Security, who claims that FBI intelligence indicates that cyber criminals across the world are preparing to carry out the highly choreographed cash-out imminently.

"The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation'," reads a confidential alert sent out by the FBI, shared privately with US banks last Friday.

It continues: "Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities," the alert says. "The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Just before executing ATM cashouts, the organised cyber crime gangs will remove many of the fraud controls of the banks using phishing techniques, such as removing the maximum ATM withdrawal amount, or any limits on the number of customer transactions per day, maximising how much they can steal.

The crooks could also have the capability to alter account balances and security measures to make an unlimited amount of money available at the time of the transactions.

"The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores," the FBI warned. "At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards."

Almost all of the ATM cashout operations launched so far have been done so on weekends, Krebs said, often just after financial institutions begin closing for business on Saturday.

In preparation for the forthcoming attacks, the FBI is now urging banks to review how they handle security, such as implementing two-factor authentication using a physical or digital token when possible for local administrators and business critical roles, said Krebs.

The warning comes two years after a series of ATM-based heists against banks in Japan, Taiwan and Thailand. They were linked to a gang believed to be from Eastern Europe and Russia. ATMs made by Wincor Nixdorf had been targetted.

Last week, the Black Hat security conference in the US heard about a ‘God mode' implemented in Via C3 x86-compatible processors that, among other applications, were embedded in some cash machines made in the early 2000s.